Privacy Policy

    dots

    Our role in your privacy

    If you are a Strapi customer or user, employee, applicant, or just visiting our website, this policy applies to you.

    Our responsibilities

    If you are a registered customer of Strapi, we act as the ‘data controller’ of personal data about you and your use of Strapi, but as the ‘data processor’ of personal data in the information you put into Strapi (like information about your users, etc.).

    Your responsibilities

    • Read this Privacy Policy
    • If you are our customer, please also check the contracts between us: they may contain further details on how we collect and process your data.
    • If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorize us to process it on your behalf in accordance with this Privacy Policy.

    When and how we collect data

    From the first moment you interact with Strapi, we are collecting data. Sometimes you provide us with data, and sometimes we collect data about you, either automatically or sometimes from other sources, like publicly available websites or from a trusted data supplier.


    Types of data we collect

    Contact details: Your name, address, telephone number, email address...

    Financial information: Your credit/debit card details...

    Data that identified you: Your IP address, login information, browser type and version, time zone setting, browser plug-in types, geolocation information about where you might be, operating system and version, etc.

    Data on how you use Strapi: Your URL clickstreams (the path you take through our site), products/services viewed, page response times, download errors, how long you stay on our pages, what you do on those pages, how often, and other actions…

    What about really sensitive data?

    We don’t collect any "sensitive data" about you (like racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, data about your sexual life or orientation, and offenses or alleged offenses) except when we have your specific consent, or when we have to comply with the law.

    What about children’s data? Strapi is a business-to-business service directed to and intended for use only by those who are 16 years of age or over. We do not target Strapi at children, and we do not knowingly collect any personal data from any person under 16 years of age.


    How and why we use your data

    Data protection law means that we can only use your data for certain reasons and where we have a legal basis for doing so.

    Here are the reasons for which we process your data:

    Keeping Strapi running: Log in and authentication, processing payments.

    Legal Basis for this data usage: Contract + Legitimate Interests

    Improving Strapi: Testing features, interacting with feedback platforms and questionnaires, managing landing pages, heat mapping our site, traffic optimization and data analysis and research, including profiling and the use of machine learning and other techniques over your data and in some cases using third parties to do this.

    Legal Basis: Contract + Legitimate Interests

    Customer Support: Notifying you of any changes to our service, solving issues via live chat support, phone or email, including any bug fixing

    Legal Basis: Contract

    Newsletter and event invitations (with your consent): Sending you emails and messages about events and new features, products and services, and content.

    Legal Basis: Consent

    Applicant and employee data: We will use and retain the personal data of our employees to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately while you are working for us. We will use your data to comply with any legal obligation required by labor law, social security law, and social protection. When you apply for an advertised position, we use your data for this opening only. We delete data from unsuccessful applicants after we appointed our new team member and the claim period (e.g. non-discrimination act) has ended. If you send us a spontaneous application, we will store your data until your withdrawal.**

    Legal Basis: Contract

    HERE IS WHAT EACH OF THESE "LEGAL BASES" MEAN:

    Consent: You have given clear consent for you to process your personal data for a specific purpose.

    Contract: Processing your data is necessary for a contract you have with us, or because you have asked us to take specific steps before entering into that contract.

    Legitimate interests: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests. These legitimate interests are:

    • Gaining insights from your behavior on our website or in our Software.
    • Delivering, developing, and improving the Strapi Services.
    • Enabling us to enhance, customize or modify our services and comms.
    • Promoting and marketing Strapi to potential customers.
    • Determining whether marketing campaigns are effective.
    • Enhancing data security.

    In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests.

    You can change your mind!

    If you have previously given consent to our processing your data you can freely withdraw such consent at any time. You can do this by emailing us at privacy@strapi.io.

    If you do withdraw your consent, and if we do not have another legal basis for processing your information, then we will stop processing your personal data. If we do have another legal basis for processing your information, then we may continue to do so subject to your legal rights.


    Your privacy choices and rights

    YOUR CHOICES

    You can choose not to provide us with personal data

    If you choose to do this, you can continue to use the website and browse its pages, but we will not be able to process transactions without personal data.

    You can turn off cookies

    You can block cookies by activating a setting on your browser allowing you to refuse cookies, or by using the cookie tool on our website. You can also delete cookies through your browser settings. If you turn off cookies, you can continue to use the website and Strapi, but certain services will not work effectively.

    You can ask us not to use your data for marketing

    We will inform you (before collecting your data) if we intend to use your data for marketing and if third parties are involved. You can opt out from marketing by emailing us at privacy@strapi.io.

    YOUR RIGHTS

    You can exercise your rights by sending us an email at privacy@strapi.io.

    You have the right to access information we hold about you

    This includes the right to ask us for supplementary information about:

    • The categories of data we’re processing
    • The purposes of data processing
    • The categories of third parties to whom the data may be disclosed
    • How long the data will be stored (or the criteria used to determine that period)
    • Your other rights regarding our use of your data

    We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of other (e.g. another person’s confidentiality or intellectual property rights). We’ll tell you if we can’t meet your request for that reason.

    You have the right to make us correct any inaccurate personal data about you

    You can object to us using your data for profiling you or making automated decisions about you

    We may use your data to determine whether we should let you know information that might be relevant to you (for example, tailoring emails to you based on your behaviour). Otherwise, the only circumstances in which we will do this is to provide the Strapi service to you.

    You have the right to port your data to another service

    We will give you a copy of your data in CSV or JSON so that you can provide it to another service. If you ask us and it is technically possible, we will directly transfer the data to the other service for you. We will not do so to the extent that this involves disclosing data about any other individual.

    You have the right to be ‘forgotten’ by us

    You can do this by asking us to erase any personal data we hold about you, if it is no longer necessary for us to hold the data for purposes of your use of Strapi. This right doesn’t always apply (for example, if we have a contract with you), but we’ll tell you if this is the case when you ask us to erase your data.

    You have the right to lodge a complaint regarding our use of your data

    Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the supervisory authority for data protection issues in your country of residence.

    If you are located in the EEA or the UK and you are a Customer, Site Visitor or Event Attendee, and wish to exercise any of the rights set out above, you may contact us at privacy@strapi.io using the term "DSR" as your email subject line.

    You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request under those circumstances.

    If we cannot reasonably verify your identity, we will not be able to comply with your request(s). We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Note that this is especially true when you engage a third party to assist you in exercising your rights.

    We will respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated as required by law. In addition, we will always balance your rights against those of other data subjects in connection with any requests, and in some cases this may require us to redact our responses or deny a request.

    European Representative

    Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Strapi has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:

    • Email at privacy@strapi.io, or
    • Writing to EDPO at Strapi Solutions, 128 rue de la Boétie, 75008 Paris, France

    How secure is the data we collect?

    We have put in place reasonably appropriate security measures designed to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. We limit access to personal data only to those employees, agents, contractors and the third parties who have a business need-to-know.

    We also have procedures in place to deal with any suspected data security breach. If required, we will notify you and any applicable regulator of a suspected data security breach. We also require those parties to whom we transfer your personal information to provide acceptable standards of security.

    Notwithstanding, no Internet or email transmission is ever fully secure or error free. In particular, email sent to or from the Solution may not be secure. Therefore, take special care in deciding what information you send to us via email. For any questions about the security of your information, please contact privacy@strapi.io.

    And please remember:

    • You provide personal data at your own risk: unfortunately, no data transmission is guaranteed to be 100% secure
    • You are responsible for your username and password: keep them secret and safe!
    • If you believe your privacy has been breached, please contact us immediately on

    Where do we store the data?

    Strapi is a United States Delaware corporation with primary storage of your information in the United States and the EEA. To facilitate our global operations, we may process personal information from around the world, including from other countries in which Strapi has operations, employees, or in the data processing facilities operated by the third parties identified below.

    If you are accessing or using our Solution or otherwise providing personal information to us, you are agreeing and consenting to the processing of your personal information in the United States and other jurisdictions in which we operate.

    If you are a Customer, you are responsible for informing your End Users of how and where their personal data will be processed at the time of collection.


    How long do we store your data?

    If you’ve been a Strapi customer, we’ll delete your personal data from our systems six years after you stop being a Strapi customer. We keep the information in this time in case there are any legal claims relating to your time as a customer. We’ll delete information that you have in Strapi itself in accordance with the arrangements set out in your contract with us.

    If we contacted you about buying Strapi or you requested a demo from us, we’ll delete your personal data from our systems two years after we last contacted you. This stops us from contacting you again too soon if you’re not interested in Strapi right now.

    If you’re a member of the Strapi Discord community, we’ll delete your personal data from our systems two years after you leave the Discord community.


    Third parties who process your data

    Tech businesses often use third parties to help them host their application, communicate with customers, power their emails etc. We partner with third parties who we believe are the best in their field at what they do.

    When we do this, sometimes it is necessary for us to share your data with them in order to get these services to work well. Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Policy.

    We’ve divided our third-party service providers into 3 types:

    1. Strapi Solution: our sub-processors

    These are the third-party service providers who help us to process personal data on your behalf when you are a Strapi customer. You are the controller of this personal data. We use these sub-processors to provide hosting and functionality in the Strapi Solution.

    If you add third-party integrations to your Strapi project, we strongly advise you to consult the privacy policy for each of those integrations. Strapi cannot be held responsible for the personal data shared with the providers of these integrations.

    1. Strapi Solution: our tech providers

    These are the third-party service providers who we use to help run our Solution. They process personal data (of which we are the controller) on our behalf.

    1. Other third-party service providers

    These are other third-party service providers who we use to help run our business (including this website).

    You will find a list here of our current third-party service providers.


    Cookies

    We use cookies. Unless you adjust your browser settings to refuse cookies, we (and these third parties) will issue cookies when you interact with Strapi. These may be ‘session’ cookies, meaning they delete themselves when you leave Strapi, or ‘persistent’ cookies which do not delete themselves and help us recognise you when you return so we can provide a tailored service.

    How can I block cookies?

    You can block cookies by activating a setting on your browser allowing you to refuse the setting of cookies. You can also use our cookie banner to manage your preferences. You can also delete cookies through your browser settings. If you use your browser settings to disable, reject, or block cookies (including essential cookies), certain parts of our website or app will not function fully. In some cases, our website or app may not be accessible at all. Please note that where third parties use cookies we have no control over how those third parties use those cookies.

    Which specific cookies do we use?

    INSERT embedded script on privacy policy page to list cookies declared by cookiebot


    Contact Us

    If you have any questions or suggestions regarding this Privacy Policy, please contact us at privacy@strapi.io.

    Last update: March 01, 2023